FortiDeceptor
FortiDeceptor provides Deception-based Breach Protection to deceive, expose and eliminate external and internal threats.
melshehaby
Staff
Staff
Article Id 274766
Description

 

This article describes the issue of full disk utilization.

 

Scope

 

FortiDeceptor.

 

Solution

 

First, if the decoys are not configured with a reset after the attacks, this might cause such an issue. Because the attack might download or install any malware that keeps increasing the disk utilization.

 

So while creating the decoys make sure that the rest option is enabled and it is possible to configure the time period to rest the decoy after the attack.

melshehaby_0-1695220341128.png

 

Second, in FortiDeceptor version 4.1 and lower, if the deployment network is configured with a trunk port with a huge traffic volume this issue will cause disk utilization because there is a feature to analyze all the traffic passing through the deployment network, the temporary traffic content can be accumulated to high disk usage when the traffic comes in faster than clearing the temporary content.

 

There are three solutions:

The first solution is to configure the traffic outside FortiDeceptor to only allow lower volume traffic to FortiDeceptor, such as limiting the VLANs in the trunk port or only connecting FortiDeceptor to the access port;

The second solution is to upgrade to version 4.2 or higher. Starting from 4.2, it is disabling the analysis feature for all traffic but only for the traffic for decoys, which will reduce the temporary content size a lot.

It is recommended to proceed with the second solution which is an upgrade to 4.2 or higher.

 

The third solution is to run command data-purge -k<N> which will automatically purges data older than the specified number of days where N represents 1-365 days.

For example, to purge data older than 10 days:

 

data-purge -k10

 

This option cannot be used with other options.